GDPR and Snoopers’ Charter: A Marriage Made in Hell

All over Europe organisations of all sizes are currently scrabbling desperately to get their house in order for 25 May 2018. What happens then? Only the biggest shake-up to Europe’s data protection laws in nearly a generation. The implications are immense, both in terms of the scope of the new regulation and the companies who will now be held liable.

There’s just one problem. The UK’s Snoopers’ Charter, or Investigatory Powers Act. Its enshrining into law of mass surveillance powers could create major problems down the line, possibly putting UK firms at a competitive disadvantage precisely at a time when they need the digital economy most.

What’s the problem?

Let’s start at the beginning. UK firms will have to comply with GDPR, even with Brexit looming. That’s because the extrication of the country from the EU will take at least two years from whenever Article 50 is triggered – presumably in March – and probably much, much longer. And even beyond that, the UK government has said in its Brexit white paper:

“The European Commission is able to recognise data protection standards in third countries as being essentially equivalent to those in the EU, meaning that EU companies are able to transfer data to those countries freely.

As we leave the EU, we will seek to maintain the stability of data transfer between EU Member States and the UK.”

This implies that the UK will broadly speaking harmonise its laws with the GDPR. But the bulk data collection powers granted by the IPA mean the regime is certainly not equivocal to that in Europe. Emily Taylor, CEO of Oxford Innovation Labs and associate fellow of Chatham House, told me that the European Court of Justice (CJEU) shows no signs on shifting its stance on bulk data collection – having recently ruled against the forerunner to the Snoopers’ Charter, DRIPA.

“Other elements of the judgment are likely to cause problems with the Investigatory Powers Act: the CJEU says that targeted data retention may be allowable, but must be restricted solely to fighting serious crime; warrants must be signed off by a court, not a minister; and the data concerned must be retained within the EU.  All these will potentially conflict with core elements of the IP Act,” she told me.

If its kept as is, the Act could therefore impact the legality of data transfers between Europe and a newly independent UK, which will be bad news for most firms reliant on a thriving digital economy.

“The impact of conflicts between the GDPR and our Investigatory Powers Act may be to hamper the competitiveness of UK tech, particularly as the GDPR seeks to protect EU citizens’ data wherever it will be processed,” she argued.

Not great for America

This is a hot button issue for Europe In fact it’s the reason why data transfers to the US were put under threat after Safe Harbour was torn down because of fears of US authorities snooping on Europeans’ data. Despite a new agreement – Privacy Shield – being put in place, there could still be bumps in the road ahead.

“Transatlantic data flows will not be legal unless there is a robust framework in place to offer EU citizens’ data equivalent protection to what is enjoyed in the EU,” said Taylor.

“President Trump’s ‘America First’ policy is likely to renew tensions over Privacy Shield – a shaky compromise which was hurriedly reached following the CJEU’s obliteration of its predecessor ‘Safe Harbour’.”

KPMG’s globa privacy advisory lead, Mark Thompson, told me that firms outside of Europe that need to comply with the GDPR are better off keeping data on European citizens inside the EU so as not to fall foul of any changes to data transfer agreements.

“Despite the USA and EU having some cultural alignment, there is potential for significant culture clash between the EU’s view of a fundamental human right to privacy and the US view on what constitutes privacy, which is significantly different,” he added.

We’ll have to wait a while to see what the fallout of all this is. But with the UK government unlikely to countenance any changes to the IPA, there could be some potentially bad news for the country’s digital economy in the next few years if nothing changes.